How to define headers for IP security restrictions of an Azure Web App, with Bicep?
Documentation says little about this, only that headers is an object.
ipSecurityRestrictions: [
{
priority: 1000
name: 'AFD'
tag: 'ServiceTag'
action: 'Allow'
ipAddress: 'AzureFrontDoor.Backend'
headers: {
x_azure_fdid : [
'3dc8865d-90c7-4b87-8edf-99726c56543a'
]
}
}
]
Error is: The 'x_azure_fdid' header is not supported!
I tried with x_azure_fdid, xazurefdid or even 'x_azure_fdid', uppercase, etc... to no avail.
Looking at Front Door documentation, the header name is X-Azure-FDID
headers: {
'x-azure-fdid': [
'3dc8865d-90c7-4b87-8edf-99726c56543a'
]
}
Related
So I create following bicep based on https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/2022-05-01/storageaccounts/managementpolicies?pivots=deployment-language-bicep.
It works fine and creates rule, however it deletes all the existing rules. Even they are more than one rule (all different names of course), it delete all the existing rules and replace it with one rule in the bicep script. What am I missing?
resource storage_lifecycle 'Microsoft.Storage/storageAccounts/managementPolicies#2022-05-01' = {
name: 'default'
parent:storageAccount
properties: {
policy: {
rules: [
{
name: 'lifeCycleRule'
enabled: true
type: 'Lifecycle'
definition: {
filters: {
blobTypes: [
'blockBlob'
]
}
actions: {
baseBlob: {
tierToCool: {
daysAfterModificationGreaterThan: 30
}
tierToArchive: {
daysAfterModificationGreaterThan: 30
}
delete: {
daysAfterModificationGreaterThan: 30
}
}
}
}
}
]
}
}
}
Based on this stack answer: Unable to add new rule in Storage Management Policy on Azure, and my experience with Azure API Gateway, you will need to add the existing rules to the new policy.
I've been banging my head against a brick wall on this.
I'm trying to deploy via Azure DevOps pipeline, a bicep/ARM Template an API Connection that uses a Custom Connector that is linked to an On-prem API via a Data Gateway.
Here is my bicep file...
param connectionName string
param displayName string
param gatewayResourceGroup string
param gatewayName string
param connectorName string
param location string = resourceGroup().location
resource connector 'Microsoft.Web/customApis#2016-06-01' existing = {
name: connectorName
}
resource gatewayApi 'Microsoft.Web/connectionGateways#2016-06-01' existing = {
name: gatewayName
scope: resourceGroup(gatewayResourceGroup)
}
resource apiConnection 'Microsoft.Web/connections#2016-06-01' = {
name: connectionName
location: location
properties: {
displayName: displayName
nonSecretParameterValues: {
authType: 'anonymous'
#disable-next-line BCP036
gateway: {
name: gatewayName
id: gatewayApi.id
type: 'Microsoft.Web/connectionGateways'
}
}
api: {
name: connector.name
displayName: 'CONNECTOR ${connectorName}'
id: connector.id
type: 'Microsoft.Web/customApis'
}
}
}
I issue is the nonSecretParameterValues.
They don't go anywhere.
The API Connection is deployed like...
What makes this a little worse is the deployment is successful...
But if I drill into the Operation details I can see there were two issues...
"overallStatus": "Error",
"statuses": [
{
"status": "Error",
"target": "authType",
"error": {
"code": "ConfigurationNeeded",
"message": "Parameter value missing."
}
},
{
"status": "Error",
"target": "gateway",
"error": {
"code": "ConfigurationNeeded",
"message": "Parameter value missing."
}
}
],
Very frustrating.
Now I can manually add the values I intended to be there for the authType and gateway parameters after the deployment is "successful". Then my logic app that uses this API Connection and Custom Connector to Onprem Gateway works as expected.
But the exported template for the API Connection does not change between the connection having missing parameters (in the UI) or after I manually enter the values.
I have also tried added some Powershell after the deployment to pick up the connection and to try settings the "missing" values and updating the resource from there.
I can see another API Connection via Powershell which is correctly set with the authType and gateway parameters.
But when I try, to set these on the resource I need to "fix" it also complains...
I would really like to have the API Connection deployment fully via Azure DevOps pipeline.
NOTE: I find it very odd to have to use the #disable-next-line BCP036 to disable the warning in VSCode. And even opening the built ARM Template will give a warning on the "gateway" property name. I even tried replacing the "object" with just the resource id and that didn't help.
The parameters should be in a parameterValues property object:
resource apiConnection 'Microsoft.Web/connections#2016-06-01' = {
name: connectionName
location: location
properties: {
displayName: displayName
parameterValues: {
authType: 'anonymous'
gateway: {
id: gatewayApi.id
}
}
...
}
}
Suggestion:
The nonSecretParameterValues object must be in the format of a dictionary. I cannot find any hard documentation about this as a data structure, but it's mentioned several times.
nonSecretParameterValues: {
authType: 'anonymous'
gateway-name: gatewayName
gateway-id: gatewayApi.id
gateway-type: 'Microsoft.Web/connectionGateways'
}
Hope this helps.
I try to create a Logic App with a Azure Queues Operation. I want to use a API connection resource to connect to the storage account. However
The API Connection resource and the Logic App itself are deployed without errors but after deployment the operation cannot find the API connection and the operation does not work.
When I manually create the operation in the portal after deployment it works.
Part of bicep for the action in logic app:
'Put_a_message_on_a_queue_(V2)' : {
runafter: {}
type: 'ApiConnection'
inputs: {
body: 'start'
host: {
connection: {
name: azureQueueConnectionId
}
}
method: 'post'
path: '/v2/storageAccounts/${storageAccountName}/queues/dailymaintenance/messages'
}
}
The API connection:
resource logicAppConnection 'Microsoft.Web/connections#2016-06-01' = {
name: name
location: resourceLocation
properties: {
displayName: 'connect-to-${externalResourceName}'
parameterValues: {
storageaccount: storageAccountReference.name
sharedkey: storageAccountReference.listKeys().keys[0].value
}
api: {
name: 'azurequeues'
displayName: 'Azure Queues'
description: 'Azure Queue storage provides cloud messaging between application components. Queue storage also supports managing asynchronous tasks and building process work flows.'
iconUri: 'https://connectoricons-prod.azureedge.net/releases/v1.0.1546/1.0.1546.2665/azurequeues/icon.png'
brandColor: '#0072C6'
id: '${subscription().id}/providers/Microsoft.Web/locations/${resourceLocation}/managedApis/azurequeues'
type: 'Microsoft.Web/locations/managedApis'
}
testLinks: [
{
requestUri: '${environment().resourceManager}/subscriptions/${subscription().id}/resourceGroups/${resourceGroup().name}/providers/Microsoft.Web/connections/${name}/extensions/proxy/testConnection?api-version=2016-06-01'
method: 'get'
}
]
}
}
output id string = logicAppConnection.id
This is de error I get in the Logic App Designer: "Connector not found"
I am wondering why this is not working as expected and if someone already managed to do this with bicep?
Thanks in advance
AFAIK, It is believed that if you deploy the Template, both API Connections will be created, but you will have to manually update the connection inside logic apps by adding your service credentials. This is because, in order to complete the API connection, you must provide consent, which is not available in the template.
This script will retrieve a consent link for an OAuth Logic Apps connector connection. The consent link will then be opened, and authorization will be completed to allow a connection to be established.
For more inforation please refer this blog|BICEP-Create API connections for Logic Apps & Deploy Logic Apps & API Connection with ARM
It turned out the API connection name must be set as follows to make this work
actions: {
'Put_a_message_on_a_queue_(V2)' : {
runafter: {}
type: 'ApiConnection'
inputs: {
body: 'start'
host: {
connection: {
name: '#parameters(\'$connections\')[\'azurequeues\'][\'connectionId\']'
}
}
method: 'post'
path: '/v2/storageAccounts/${storageAccountName}/queues/dailymaintenance/messages'
}
}
}
}
parameters: {
'$connections': {
value: {
azurequeues: {
connectionId: logicAppConnection.id
connectionName: 'LogicAppConnection'
id: '/subscriptions/xxxxxxxxxxx/providers/Microsoft.Web/locations/westeurope/managedApis/azurequeues'
}
}
}
}
After I deployed this, it worked!
I am using Bicep to deploy open api json into Azure API Management. The snippet looks like this.
resource fuseintegrationsapi 'Microsoft.ApiManagement/service/apis#2021-08-01' = {
name: '${apim.name}/integrations-api-${environment_name}'
properties: {
description: 'Contains integrations apis used to control the platform.'
type: 'http'
apiRevision: '1234'
isCurrent: true
subscriptionRequired: false
displayName: 'Integrations Api'
serviceUrl: '${api_backend_url}/api/test/v1/integrations'
path: '${environment_name}/api/test/v1/integrations'
protocols: [
protocol
]
value: api_link
format: 'openapi+json-link'
apiType: 'http'
}
dependsOn: [
api2
]
resource symbolicname 'policies' = {
name: 'policy'
properties: {
value: anonymous_operation_policy
format: 'rawxml'
}
}
}
Even though revision is hardcoded to 1234 it's always using default 1 and the API is not updating with latest open api specification.
I had the same problem and figured out that you have to put the revision in the name also.
name: '${apim.name}/integrations-api-${environment_name};rev=1234'
Currently using the Node ACL module from:
https://github.com/OptimalBits/node_acl
This is working a treat but now the requirement is have to reflect any changes to our security config in our ACL layer.
What Im looking for is a clean way to iterate over the roles defined in our security config, decide whether the permissions/resources have changed and if they have update or remove them.
Here is a sample security config file, take the scenario where 'put' is removed from the resource /projectId.
"roles":{
"itemRole":[
{
"roles":"owner-projectId",
"allows":[
{
"resources":"/projectId",
"permissions": ["put", "post", "patch","get","delete"]
},
{
"resources":"/projectId/settings",
"permissions": ["put"]
}
]
},
{
"roles":"collaborator-projectId",
"allows":[
{
"resources":"/itemId",
"permissions":["put","post", "patch","get"]
},
{
"resources":"/api/resource/itemId",
"permissions":["put", "post", "patch","get"]
}
]
},
{
"roles":"spectator-newId",
"allows":[ ]
},
{
"roles":"admin-newId",
"allows":[
{
"resources":"/api/resource/itemId/update",
"permissions":[ "put"]
}
]
}
]
}
The following query will allow me iterate over the different roles and return all the allows for that resources, these allow_* should match what is currently in the security.config:
db.getCollection('authACLresources').find( { _bucketname: {"$regex":"allows_*"}, key: { '$in': [ 'spectator-2bc240c6ffa988260b501922' ] }})
I can then look at the different permissions and compare - just wondering if there is a better way to do this? I know the node ACL module has a method called whatResources but doesn't give you the permissions just the resources.